Researchers find new malware variant after stopping attack on Ukrainian energy provider

Ukrainian officials said they stopped an attack on an energy facility with the help of researchers from ESET and Microsoft. In the process of stopping the attack, they discovered a new variant of Industroyer, an infamous piece of malware that was used by the Sandworm APT group in 2016 to cut power in Ukraine.

CERT-UA, the Governmental Computer Emergency Response Team of Ukraine, said the attack used Industroyer to target “several infrastructural elements” including high-voltage electrical substations, computers at the facility, network equipment and server equipment running Linux operating systems.

“It is known that the victim organization suffered two waves of attacks. The initial compromise took place no later than February 2022,” CERT-UA explained. 

“The disconnection of electrical substations and the decommissioning of the company's infrastructure was scheduled for Friday evening, April 8, 2022. At the same time, the implementation of the malicious plan has so far been prevented.”

In an explainer on the situation, ESET said it also saw the attackers use several other destructive malware families including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED.

ESET said it was unsure of how the attackers compromised the initial victim or how they managed to move from the IT network to the Industrial Control System (ICS) network. But CERT-UA said the attackers were able to move laterally between different network segments “by creating chains of SSH tunnels.”

SSH tunnels allow users to forward connections to a remote machine through a secure channel from a port on a user’s desktop.

“Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine,” ESET said. 

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said on Twitter that they are working with CERT-UA on the attack. 

Ukrainian government spokesperson Victor Zhora told Reuters that the attack was designed to “disable a number of facilities, including electricity substations," and attributed it to actors supporting the recent invasion of Ukraine by Russia. 

"This is a military hacking team," Zhora said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.